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(57) Abstract 

By establishing a secure channel from a client to a back-end resource after the client is authenticated, both security and authentication 
can be achieved. Before access is permitted, two levels of authentication are provided by first seeking a client-side certificate and then 
having the client subsequently decrypt an encrypted message. Authorization for access to a back-end resource can be controlled by requiring 
a transaction-specific authorization device provided to the client in the encrypted message. 



FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT . 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovenia 


AM 


Armenia 


Fi 


Finland 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


FR 


France 


LU 


Luxembourg 


SN 


Senegal 


AU 


Australia 


GA 


Gabon 


LV 


Latvia 


SZ 


Swaziland 


A2 


Azerbaijan 


GB 


United Kingdom 


MC 


Monaco 


TD 


Chad 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BE 


Belgium 


GN 


Guinea 


MK 


The former Yugoslav 


TM 


Turkmenistan 


BF 


Burkina Faso 


GR 


Greece 




Republic of Macedonia 


TR 


Turkey 


BG 


Bulgaria 


HU 


Hungary 


ML 


Mali 


TT 
UA 


Trinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Mongolia 


Ukraine 


BR 


Brazil 


IL 


Israel 


MR 


Mauritania 


UG 


Uganda 


BY 


Belarus 


IS 


Iceland 


MW 


Malawi 


US 


United States of America 


CA 


Canada 


IT 


Italy 


MX 


Mexico 


UZ 


Uzbekistan 


CF 


Centra! African Republic 


JP 


Japan 


NE 


Niger 


VN 


Viet Nam 


CG 


Congo 


KE 


Kenya 


NL 


Netherlands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


Norway 


zw 


Zimbabwe 


CI 


Cote d*Ivoire 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


PL 


Poland 






CN 


China 


KR 


Republic of Korea 


FT 


Portugal 






CU 


Cuba 


KZ 


Kazakstan 


RO 


Romania 






CZ 


Czech Republic 


LC 


Saint Lucia 


RU 


Russian Federation 






DE 


Germany 


LI 


Liechtenstein 


SD 


Sudan 






DK 


Denmark 


LK 


Sri Lanka 


SE 


Sweden 






EE 


Estonia 


LR 


Liberia 


SG 


Singapore 







.1 



WO 00/27089 



PCT/US99/25215 



-1 - 

SECURE AUTHENTICATION FOR 
ACCESS TO BACK-END RESOURCES 

Technical Field and Background Art 
5 This application claims the benefit of U.S. Provisional Application 

no. 60/106,290, filed October 30, 1998. 

Traditionally, access to back-end resources, such as corporate 
databases, has been accomplished within secure mainframe environments 
or other internal networks. In such settings, security and user authentication 
10 are achieved with a high degree of reliability. 

With the advent of the Internet, remote users need to access such 
resources from outside the protected environment. However, when these 
resources are accessed over the Internet, additional measures are required 
to provide assurances of security and user authentication. 

15 

Brief Description of the Drawings 

Figure 1 is a block diagram of a system providing security and 
authentication; 

Figure 2 is a flow chart of the operation of the system of Figure 1. 

20 

Modes for Carrying Out the Invention 

Data security and user authentication can be achieved in an Internet 
environment by establishing a secure channel from the user or client to the 
back-end resource and then by providing an authorization device which the 
25 user in turn employs to access the back-end resource. 

In one configuration, illustrated in the block diagram of Figure 1, a 
client 10, using an Internet browser 12 equipped with the means necessary 
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to create a secure session, accesses a back-end system 20 on which a back- 
end resource 22 resides, through a client-accessible system 30. The back- 
end resource 22 may be a database or some other source of data or device 
that the client wishes to access. 

5 The interconnection 14 between the client 10 and the client- 

accessible system 30 can be over a network such as the Internet or through 
some other medium. Similarly, the link 16 between the client-accessible 
system 30 and the back-end system 20 can be over a network such as the 
Internet or through some other data link. 

10 The process has two parts: first, a secure connection is established 

and the client is authenticated and, second, the client accesses the desired 
information. A secure connection from the client 10 to the back-end 
system 20 can be created using a secure protocol such as SSL (secure 
socket layer). Software resident on the client-accessible system 30, 

15 designated a router 34, and on the back-end system 20, designated an 
enabler 24, allows the establishment of the secure session from the client 1 0 
to the back-end system 20 using well-known techniques for the purpose of 
authenticating the client 10. In the case of SSL, a public key certificate, 
attesting to and establishing the identity of the client 10, is requested from 

20 the client by the enabler 24. The public key certificate is then used by the 
back-end system 20 to create the secure session. As is customary in SSL, 
the enabler 24 also provides a certificate to the client 10. 

The process begins with a query from the client 10. To acquire a 
specific piece of information from the back-end resource 22, the client 10 

25 enters a pre-determined URL on its Internet browser 1 2 specifying a port on 
the client-accessible system 30 linked to the router 34. The URL may 
assume the following form: 
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https://hostname:7777/abc.cgi 
The "https" designation within the above URL indicates that a secure session 
- in this example, SSL - is to be established between the browser 12 and 
the client-accessible system 30. Since the URL specifies u hostname:7777, n 

5 the browser 12 will create a secure session at port 7777 of the destination 
known as "hostname." That port indicates the location of the router 34, which 
passes the query to the enabler 24. 

Once a secure session is created between the client 1 0 and the back- 
end system 20, the browser 12 sends along the rest of the URL (e.g., 

10 "abc.cgi"), the actual request, through the router 34 in encrypted form. Note 
that all information exchanged from hereon out is encrypted. The request, 
"abc.cgi," is the name of the routine that will retrieve the information from the 
back-end resource 22. The router 34 passes this encrypted message to the 
enabler 24 on the back-end system 20. The enabler 24 decrypts the request 

1 5 and determines whether the request will be authorized and access permitted. 

Assuming that the client 10 is authorized entry, the enabler 24 will 
send a message back to the client 10 over the secure connection. The 
message can contain a redirection command such as a new or redirect URL, 
sending the client 10 to a different port on the client-accessible system 30, 

20 or to an entirely different client-accessible system, through which the desired 
information will be provided. The redirect URL may be of the form: 

https://hostname/abc.cgi?{W} 
Again, abc.cgi is the routine for retrieving the information. The redirect URL 
may also contains an authorization device, designated W in the URL above. 

25 One such authorization device can be a web ticket. This authorization 
device or web ticket is the permission from the back-end resource 22 
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allowing the web-server 32 to act on behalf of the client for the purpose of 
accessing the requested information. 

When the client 10 receives the messages with the authorization 
device or web ticket, it arrives of course in encrypted form. By virtue of the 

5 act of decrypting the message (in SSL, using the originally-created session 
key), the client 10 has further authenticated itself. Thus, the process 
described here offers dual authentication, once upon creating the secure 
session and again when the client 10 decrypts the redirect message. 

The client 10 then goes to the new or redirect URL, entering a 

10 presentation server such as a a web-server 32 on the original client- 
accessible system 30 through a different port (e.g., port 443 - the default 
secure port) or perhaps another web-server residing on a different system. 
For purposes of this discussion, the presentation server will be referred to as 
a "web-server" hereafter, but it should be understood that the depicted web- 

1 5 server may be any suitable device. 

The redirect URL also contains an "https" designation, indicating that 
a secure session is to be created between the web-server 32 and the 
client 10. The authorization device or web ticket is forwarded to the back- 
end system 20 and, if the authorization device is deemed to be valid, the 

20 request is honored. The requested information is then passed from the back- 
end resource 22 to the web-server 32, which generates a web page 
containing the information. This page is then sent to the client 10 via the 
secure connection. 

The web ticket may include a time stamp to limit the time of its validity. 

25 Alternatively, the authorizing elements of the web ticket can be changed after 
a period of time, effectively invalidating the web ticket at the time of the 
change, or it may be usable only once. 
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The foregoing method can be used with multiple back-end resources 
and/or client-accessible systems. For example, the client accessible system 
could have multiple routers. Further, the method can be used in a system 
with multiple layers of client-accessible systems, i.e., web-servers, 
5 application servers, and the like. Where there are multiple layers, the 
method is repeated in "nested" fashion, repeating the process of establishing 
a secure session, exchanging certificates, and providing a redirect with an 
authorization device at each layer until the last layer, a back-end resource, 
is reached. 

10 In the foregoing examples, SSL is used to create a secure session. 

Other schemes could be employed to achieve the same purpose. 
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What is claimed is: 

1 . A method for permitting a client to access a back-end resource 
via network-based client-accessible systems comprising web-servers, 
comprising the steps of: 

5 establishing a first secure connection between the client and the back- 

end system via a client-accessible system, the step of establishing a first 
secure connection comprising the step of obtaining client authentication; 

initiating a request by the client for information from the back-end 
resource; 

10 generating an authorization device and redirection command; 

passing the authorization device and the redirection command to the 

client; 

establishing a second secure connection between the client and a 
web-server according to the redirection command; 
1 5 presenting the authorization device to the back-end system; 

passing the information from the back-end resource to the web-server; 

and 

passing the information from the web-server to the client via the 
second secure connection. 

20 

2. A method as set forth in claim 1 , where the step of obtaining 
client authentication comprises the steps of providing a client certificate to 
the back-end resource and using the client certificate to create the secure 
session. 

25 

3. A method as set forth in claim 1 , further comprising the step of 
encrypting the authorization device and redirection command prior to the 
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step of passing the authorization device and redirection command to the 
client. 

4. A method for establishing a secure connection between a client 
5 and a back-end system via network-based client-accessible systems 

comprising web-servers, comprising the steps of: 

establishing a first secure connection between the client and the back- 
end system via a client-accessible system, the step of establishing a first 
secure connection comprising the step of obtaining client authentication; 
10 initiating a request by the client for information from the back-end 

resource; 

generating an authorization device and redirection command; 
passing the authorization device and the redirection command to the 

client; 

15 establishing a second secure connection between the client and a 

web-server according to the redirection command; and 

presenting the authorization device to the back-end system. 

5. A method as set forth in claim 4, where the step of obtaining 
20 client authentication comprises the steps of providing a client certificate to 

the back-end resource and using the client certificate to create the secure 
session. 

6. A method for authorizing remote client access to a back-end 
25 resource via a web-server on a network, comprising the steps of: 

generating an authorization device; 
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passing the authorization device to the client through a first secure 
connection; 

establishing a second secure connection between the client and a 
web-server; 

5 passing the authorization device to the web-server via the second 

secure connection; 

passing the authorization device from the web-server to the back-end 
resource; 

passing the information from the back-end resource to the web-server; 

10 and 

passing the information from the web-server to the client via the 
second secure connection. 

7. A method as set forth in claim 6, further comprising the step of 
15 encrypting the authorization device and redirection command prior to the 

step of passing the authorization device and redirection command to the 
client. 

8. A system for establishing a secure connection between a client 
20 and a back-end resource; comprising: 

a back-end system comprising 

the back-end resource; and 

an enabler, the enabler comprising 

means for authenticating the client; and 
25 means for authorizing retrieval of information for 

the client; and 

at least one network-based client-accessible system comprising 
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at least one web-server; and 
a router comprising means for communicating with the 
client and the enabler. 

5 9. A system as set forth in claim 8, where the means for 

authenticating the client comprises means for receiving a certificate of 
authentication from the client via the router. 

10. A system as set forth in claim 8, where the means for 
10 authorizing retrieval comprises means for generating an authorizing device 
for receipt by the client via the router and subsequent presentation to the 
back-end system. 
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